ANONYMOUS FINGERPRINTING 
USING BILNEAR DI FFIE-HELLMAN PROBLEM 

Field of the Invention 

5 

The present invention relates to a fingerprinting 
scheme; and, more particularly, to an anonymous 
fingerprinting scheme capable of preserving anonymity of a 
buyer and reducing a key size of algorithm without a 
10 collusion attack problem. 

Background of the Invention 

In the progress of computer networks and the 
15 development of Internet, protection of digitally stored 
information property has become a crucial problem that 
should be solved. Many schemes such as a fingerprinting 
scheme and a watermarking scheme have been proposed for 
technically supporting the copyright protection of digital 
20 data. 

The watermarking scheme serves as one of the 
reasonable alternatives for solving several problems such as 
a piracy, an illegal duplicate and an illegal distribution 
thereof in a manner that an owner of a digital content 
25 embeds specific information in the digital content and 
extracts the specific information therefrom. 
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On the other hand, the fingerprinting scheme is one of 
cryptography for protecting copyright of a digital content, 
in which information on a buyer is embedded by the 
watermarking scheme. In a conventional fingerprinting 
5 scheme, a buyer embeds information on the buyer in a digital 
content and a merchant examines an illegal duplicate or an 
illegally redistributed duplicate to trace an illegal buyer 
or re-distributor based on the buyer' s information embedded, 
in the illegally redistributed duplicate. Further, in the 

10 fingerprinting scheme, the merchant can identify an original 
buyer of the illegally redistributed duplicate, referred to 
as a traitor, thereby deterring a buyer from illegally 
redistributing the digital content. 

The conventional fingerprinting scheme is usually 

15 divided into two classes, i.e., a symmetric fingerprinting 
and. an asymmetric fingerprinting. 

In the symmetric fingerprinting, fingerprints are 
embedded in a digital content only by a merchant. However, 
even if the merchant recognizes an identity of a traitor 

20 from the digital content, the merchant cannot convince a 
third party, especially, a registration authority, who the 
traitor is. 

In the asymmetric fingerprinting, fingerprints are 
embedded in a digital content by an interactive protocol 
25 between a buyer and a merchant. When a transaction between 
the buyer and the merchant is completed, only the buyer has 
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a fingerprinted copy. If the merchant has found an 
illegally distributed duplicate somewhere, the merchant can 
distinguish a traitor from other buyers and prove a third 
party, especially, a registration authority, who the traitor 
5 is . 

However, for two aforementioned fingerprinting schemes, 
there is a possibility of infringing privacy of a buyer 
because a merchant requires information about the buyer. 
Further, if a buyer purchases digital items, especially, 
10 through an open network, information on the buyer, e.g., a 
shopping behavior and a personal profile, may be revealed to 
the public, which in turn can be commercially abused through 
networks . 

Thus, when a buyer purchases a fingerprinted digital 
15 content, it is desirable that the buyer remains anonymous as 
long as the buyer does not illegally distribute the digital 
content. For this purpose, an anonymous asymmetric 

fingerprinting (in short, an anonymous fingerprinting) has 
been proposed . 

20 • The anonymous fingerprinting retains the asymmetric 

property as a sort of the asymmetric fingerprinting. In the 
anonymous fingerprinting, a buyer can purchase a 
fingerprinted digital content without revealing a profile of 
the buyer to a merchant, while a merchant can detect a 

25 traitor when finding an illegally redistributed duplicate. 

However, the conventional fingerprinting scheme, 
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especially, the anonymous fingerprinting, does not take 
account of computational capability of a buyer. In other 
words, it is not easy to practically use algorithm for 
supporting the conventional fingerprinting scheme because a 
5 key size for the algorithm is too large. 

Further, in the fingerprinting scheme, there is a 
probability for collusion attack. That is, a collusion 
group can obtain a multiplicity of digital contents having 
different fingerprints and then compare each other to 
10 capture positions where original fingerprints are embedded. 

Then the collusion group can remove the original 
fingerprints and interpolate gaps to thereby resell the 
digital contents without worrying about being traced. 

15 Summary of the Invention 

It is, therefore, an object of the present invention 
to provide an anonymous fingerprinting method and apparatus 
using bilinear pairings, which is capable of preserving 

20 anonymity of a buyer as long as the buyer does not illegally 
distribute digital contents and reducing a key size of 
algorithm without risking a collusion attack problem. 

In accordance with an aspect of the present invention, 
there is provided an anonymous fingerprinting method using a 

25 bilinear Dif f ie-Hellman problem, in a fingerprints embedment 
system that includes three participants, including the steps 
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of: (a) introducing system parameters shared by a first and 
a second participant, storing the system parameters in a 
memory of each of the first and the second participant and 
generating a public key and a secret key of the first 
5 participant; (b) registering information on the first 
participant to a third participant based on the system 
parameters and the public and the secret key of the first 
participant, ' wherein the third participant issues a 
certificate based on the information on the first 

10 participant; (c) at the second participant, authenticating a 
fairness of the first participant based on the certificate; 
(d) embedding fingerprints into a digital content to be 
bought by the first participant; and (e) when an illegal 
duplicate of the digital content or an illegally 

15 redistributed duplicate is found, identifying a traitor, who 
illegally duplicates the digital content or redistributes 
the illegally duplicated digital content, with the first 
participant based on the fingerprints embedded in the 
digital content. 

20 In accordance with another aspect of the present 

invention, there is provided an anonymous fingerprinting 
apparatus using a bilinear Dif f ie-Hellman problem, 
including: a registration authority; a buyer; and a merchant, 
wherein the apparatus performs the steps of: introducing 

25 system parameters shared by a first and a second participant, 
storing the system parameters in a memory of each of the 



first and the second participant and generating a public key 
and a secret key of each of the first and the second 
participant; registering information on the first 
participant to a third participant based on the system 
5 parameters and the public and the secret key of the first 
participant, wherein the third participant issues a 
certificate based on the information of the first 
participant; at the second participant, authenticating a 
fairness of the first participant based on the certificate; 

10 embedding fingerprints into a digital content to be bought 
by the first participant; and when an illegal duplicate of 
the digital content or an illegally redistributed duplicate 
is found, identifying a traitor, who illegally duplicates 
the digital content or redistributes the illegally 

15 duplicated digital content, with the first participant. 

Brief Description of the Drawings 

The above and other objects and features of the 
20 present invention will become apparent from the following 
description of preferred embodiments given in conjunction 
with the accompanying drawings, in which: 

Fig. 1 shows a flow chart for illustrating an 
anonymous fingerprinting scheme using a B-DH (bilinear 
25 Dif f ie-Hellman) problem in accordance with the present 
invention; 
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Fig. 2 represents a schematic block diagram for 
representing the anonymous fingerprinting scheme using B-DH 
problem; 

Fig. 3 depicts a flow chart for illustrating a setting 
5 process of the anonymous fingerprinting scheme using B-DH 
problem; 

Fig. 4 provides a flow chart for illustrating a 
registering process of the anonymous fingerprinting scheme 
using B-DH problem; 
10 Fig. 5 offers a flow chart for illustrating a buyer 

authenticating proces of the anonymous fingerprint ing scheme 
using B-DH problem; 

Fig. 6 is a flow chart for illustrating a fingerprints 
embedding process of the anonymous fingerprinting scheme 
15 using B-DH problem; and 

Fig. 7 describes a flow chart for illustrating an 
identifying process of the anonymous fingerprinting scheme 
using B-DH problem. 

2 0 Detailed Description of the Preferred Embodiments 

An anonymous fingerprinting scheme in accordance with 
a preferred embodiment of the present invention makes use of 
a bilinear map on an elliptic curve to construct a group G, 
25 in which a C-DH (computational Dif f ie-Hellman ) problem is 
intractable but a D-DH (decisional Dif f ie-Hellman) problem 
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is tractable. However, since in the D-DH problem, it is too 
easy to build cryptosystems , the security of the anonymous 
fingerprinting scheme in accordance with the present 
invention is intrinsically based on an intractability of the 
5 C-DH problem called a B-DH (bilinear Dif f ie-Hellman) problem. 

The anonymous fingerprinting scheme using B-DH problem 
in accordance with the present invention includes following 
three procedures: a registration procedure (step S100), a 
fingerprinting procedure (steps S200 and S300) and an 

10 identification procedure (step S400) , wherein the 
registration procedure involves a key generation process and 
the fingerprinting procedure is divided into a buyer 
authentication process (step S200) and a fingerprints 
embedding process (step S300), as shown in Fig. 1. 

15 Fig. 2 represents an anonymous fingerprinting scheme 

in accordance with the present invention, which includes a 
buyer 100, a merchant 200 and a registration authority 300, 
each of which has a storage medium, e.g., a memory, and an 
operating unit, e.g., a CPU, as participants of the 

20 anonymous fingerprinting scheme. Each of the participants, 
which may be a computer system or an actual user, 
communicates remotely through any kind of communications 
network or other techniques. Information to be transferred 
between each of the participants may be stored or detained 

25 in various types of storage media. 

The registration authority 300, which has an operating 
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unit (not shown) for computing algorithms and a storage 
medium 301 for storing computed results or specific 
information, introduces system parameters to be shared and 
utilized by the buyer 100 and the merchant 200. Also, the 
5 registration authority 300 produces a public key and a 
secret key of the buyer 100 based on the system parameters 
and then provides corresponding keys to the buyer 100 
through secure channels. 

Further, the registration authority 300 issues a 

10 certificate so that the buyer 100 can prove fairness for 
itself to the merchant 200. Moreover, when the merchant 200 
detects a clue for a buyer to be a traitor and presents the 
registration authority 300 with a proof that the buyer is 
the traitor, the registration authority 300 ascertains 

15 whether the buyer is truly the traitor. 

The buyer 100, which has an operating unit (not shown) 
for computing algorithms and a storage medium 101 for 
storing computed results or specific information, registers 
information of the buyer such as personal profile to the 

20 registration authority 300 by using the public and the 
secret key of the buyer 100 provided from the registration 
authority 300. The information on the buyer 100 becomes 
grounds that the merchant 200 can distinguish the buyer 100 
from another buyers when the merchant 200 finds an illegal 

25 digital content. That is, when the illegal digital content 
is found, the information on the buyer 100 can be used for 
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the merchant 200 to ascertain who an original buyer of the 
illegal digital content is. 

The buyer 100 authenticates fairness for itself to the 
merchant 200 by using the secret and the public key of the 
5 buyer 100 and the certificate provided from the registration 
authority 300. Further, the buyer 100 participates in the 
fingerprints embedding process through an interactive 
protocol with the merchant 200, while concealing an identity 
of the buyer 100, after being determined to be fair in the 

10 buyer authentication process. 

The merchant 200, which has an operating unit (not 
shown) for computing algorithms and a storage medium 201 for 
storing computed results or specific information, examines 
information presented by the buyer 100 to verify fairness of 

15 the buyer 100. Further, the merchant 200 participates with 
the buyer 100 in the fingerprints embedding process. 

Hereinafter, the anonymous fingerprinting scheme using 
B-DH problem of the present invention will be described with 
reference to Figs. 3 to 6, in detail. 

20 Fig. 3 depicts a flow chart for illustrating the key 

generation process of the registration procedure in the 
anonymous fingerprinting scheme using B-DH problem. 

At step S101, the registration authority 300 generates 
cyclic groups Gi and G 2 , each of which is of a prime order m, 

25 and then takes an arbitrary generator P out of the cyclic 
group Gi, wherein the cyclic group G± is an elliptic curve 
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group and the cyclic group G 2 is a cyclic multiplicative 
group . 

At step S102, the registration authority 300 produces 
a bilinear map e on the two cyclic groups Gi and G2 as 
5 follows: 

e ; G 2 x G 2 -+ G 2 Eq . 1 . 

At step S103, the registration authority 300 stores 
system parameters such as d, G 2 and P in the storage medium 
301 and opens the system parameters so that the buyer 100 
10 and the merchant 200 can share and use them. 

At step S104, the registration authority 300 selects 
random values Si, s 2 and s 3 corresponding to G 2 to generate a 
secret key {si, s 2 , s 3 } of the buyer 100 and then calculates 
a public key y B of the buyer 100 as follows: 
15 y B = e(P, P) 313253 Eq. 2 

and then the secret key {si, s 2 , s 3 } and the public key y B 
are forwarded to the buyer 100 to be stored in the storage 
medium 101 of the buyer 100. 

Hereinafter, the registration procedure after the key 
20 generation process in the anonymous fingerprinting scheme 
using B-DH problem will be described as shown in Fig. 4. 

At step S201, the registration authority 300 selects 
an arbitrary random value . x R corresponding to the cyclic 
group G 2 based on the system parameters, calculates a 
25 confidential value T R as follows: 

T R = x R P Eq. 3 
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, and then sends the confidential value T R to the buyer 100, 
wherein T R is used to make it sure that x R is safely sent to 
the buyer 100. 

At step S202, the buyer 100 computes pseudonym keys X 
5 and Y by using the secret key {si, s 2 , s 3 } as follows: 

X = SxS 2 P Eq. 4, and 

Y = S!S2S 3 P + T R Eq. 5 

, and then sends the pseudonym keys X and Y to the 
registration authority 300. 
10 At step S203, on receiving the pseudonym keys X and Y, 

the registration authority 300 verifies validity of the 
pseudonym keys X and Y as follows: 

e(Y, P) = y B - e(P, T R ) Eq. 6. 

At step S204, if the pseudonym keys X and Y determined 
15 to be valid, the registration authority 300 calculates T as 
follows : 

T = e(X, T R ) Eq. 7 

and stores calculated result in the storage medium 301, 
wherein T is an intermediate value for judging whether or 

20 not the buyer 100 is an owner of a secret key corresponding 
to the pseudonym keys X and Y. 

At step S205, the registration authority 300 issues 
certificates Cert(T) and Cert(Y|x R ), which certify 
respectively validities of T and Y, for proving a fairness 

25 of the buyer 100 and then forwards the certificates Cert(T) 
and Cert(Y|x R ) to the buyer 100. 
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At step S206, on receiving the certificates Cert(T) 
and Cert(Y|x R ), the buyer 100 calculates T' as follows: 
T' = e(X, T R ) Eq. 8 

, wherein T' is a value for notifying that the buyer 100 is 
5 an owner of a secret key corresponding to the pseudonym keys 
X and Y. Then the buyer 100 views (Y, T" ) as a pseudonym 
pair and safely stores the pseudonym pair (Y, T' ) in the 
storage medium 101. 

Next, the buyer authentication process in the 
10 anonymous fingerprinting scheme using a B-DH problem will be 
carried out as shown in Fig. 5. 

At step S301, the buyer 100 sends Y, [T' , Cert (T) ] and 
text to the merchant 200, wherein the text represents normal 
information about a digital content to be fingerprinted. 
15 At step S302, the buyer 100 selects an arbitrary 

random value k corresponding to G2, thereby generating a B- 
DH signature Sig to be embedded as follows: 

Sig = Sign(text, s lr s 2 , s 3 , x R , k) Eq. 9. 

At step S303, the merchant 200 checks fairness of the 
20 buyer 100 based on the certificate Cert (T) sent from the 
buyer 100. If the buyer 100 is determined to be fair, the 
merchant 200 stores [T" , Cert(T)] as a purchase record of 
the buyer 100 in the storage medium 201. 

Fig. 6 shows a fingerprints embedding process for the 
25 buyer 100 and the merchant 200, which is realized through a 
secure two-party computation between them. 
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At step S401, the buyer 100 and the merchant 200 
exchange certain information therebetween. That is, the 
buyer 100 sends x R , Sig, Si, s 2 , Cert(Y|x R ) to the merchant 
200 and the merchant 200 presents T" , Y, the text and em to 
5 the buyer 100, wherein em denotes the digital content to be 
fingerprinted . 

At step S402, a specific value vali is generated as 
follows : 

valj = Verify! (text , Sig, Y) Eq. 10 

10 , vali being a Boolean variable to be seen by only the 
merchant 200 when verification of the B-DH signature Sig for 
the text is completed successfully. 

At step S403, a particular value val 2 is generated as 
follows: 

15 val 2 - Veri£y 2 (Y, Cert(Y\x R ), s 2 , s 2f Xr, T' ) 

Eq. 11 

, val 2 being also a Boolean variable to be seen by only the 
merchant 200 when the certificate Cert(Y|x R ) and the B-DH 
signature Sig for the text are respectively verified as to 
20 be described later. 

At step S404, the merchant 200 generates emb as 
follows : 

emb = text \ Sig \ Y \ Cert(Y\x R ) \ s 2 | s 2 I | T' 

Eq. 12 

25 to be stored in the storage medium 201, wherein emb 
represents fingerprints to be embedded into the digital 
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content em. 

At step S405, the merchant 200 obtains a fingerprinted 
digital content em* as follows: 

em* = Fing (em , emb) Eq. 13 

5 and then sends the fingerprinted digital content em* to the 
buyer 100. 

As a consequence, the fingerprinted digital content 
em* is obtained as an output of the two-party computation 
and is seen by only the buyer 100. However, the buyer 100 
10 cannot get the fingerprinted digital content em* unless both 
vali and val 2 from Eqs . 10 and 11 are true. 

Finally, an identification procedure is ' carried out in 
case where the merchant 200 detects a clue for a buyer to be 
a traitor. 

15 Referring to Fig. 7, at step S501, the merchant 200 

verifies the B-DH signature Sig for the text as follows: 
T" = e(s 1 s 2 P, x R P) Eq. 14 

and then stores the verified result from Eq. 14 in the 
storage medium 201, wherein T" is a value for checking 
20 whether or not the buyer 100 is an owner of a secret key 
corresponding to the pseudonym key Y' . 

At step S502, the merchant 200 examines who is an 
owner of a pseudonym key Y' , as follows: 
e(Y', P) = e(s 1 s 2 s 3 P + T R P) 
25 = e(s 1 s 2 s 3 P + x R P, P) 

= e(s 1 s 2 s 3 P / P) ■ e(x R P, P) 
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= y B • e(P, P)** Eq. 15 

, wherein if the pseudonym key Y' satisfies Eq. 15, the 
merchant 200 can prove that the owner of the pseudonym key 
Y' is the traitor. 
5 That is, only x R is associated with T and Y as seen 

from Eq. 5 and Eq. 7 and only the registration authority 300 
can provide x R such that the result T" of Eq. 14 is same as 
the result T of Eq. 7. Further, the buyer 100 cannot 
produce T" identical to T without knowing x R in polynomial 

10 time and the merchant 200 cannot forge x R because T and Y 
are certified by only the registration authority 300. 
Therefore, x R can be used for proving that an owner of the 
pseudonym key Y' is same as that of T' . In other words, the 
merchant 200 can prove that the buyer 100 is a traitor 

15 because T" calculated by the merchant 200 based on T' 
provided from the buyer 100 does not correspond to T 
calculated by the registration authority 300. 

While the invention has been shown and described with 
respect to the preferred embodiments, it will be understood 

20 by those skilled in the art that various changes and 
modifications may be made without departing from the spirit 
and scope of the invention as defined in the following 
claims . 
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